Intro: Current fake-support and fake-update scripts often compress time to the bare minimum, asking directly for "give me the recovery phrase," "enable remote," "disable antivirus," "scan a QR to pay a few yuan." Once you hear these high-risk actions — even if the other party claims to be official or shows a ticket number — stop immediately and verify. Here's the red-line request list for fast triage.
Background
Social-engineering scripts compress decision time, emphasising "do it now" so users can't think or verify. The attacker often starts with a warning or compensation hook before asking for the specific action.
These requests appear across channels: DM, phone, popup, fake update package, search-ad pages — different scenes, same triggering actions. Many cases show attackers first offer small favours to build trust, then quickly push the red-line action.
The common victim psychology is "just one click / just a few bucks should be fine" — and that's exactly the attack's keystone.
High-risk request list
1) Asking for recovery phrase / private key / seed phrase: in any scenario, providing = handing over asset control. Official channels never collect these.
2) Asking for remote assistance / screen share: once granted, the other side can watch input, induce paste of sensitive info, or push malicious scripts.
3) Asking you to disable antivirus / firewall / security prompts: to make way for malicious files or fake update packages. Legitimate support doesn't ask.
4) Asking you to scan a code or send a small amount to "verify identity / unlock / test receipt": used to validate card/payment info or escalate to verification-code harvesting.
5) Directing download of non-official "patch / installer": file names may include "Ledger" or "Security Fix" — but the domain doesn't match official, or the link hops through short URLs.
Common misconceptions
Misconception 1: They can say my order number so they must be real.
Clarification: Leaked data gets abused. Still verify domain and channel independently.
Misconception 2: "Just a few minutes of screen share" is fine.
Clarification: A few minutes is enough to capture verification codes, wallet UI, or download malware.
Misconception 3: Small payment amount = safe.
Clarification: Small-amount verification is used to test payment channels before bigger charges.
Misconception 4: Email/page has the official logo — trustworthy.
Clarification: Visual elements are easily copied. Verify domain and payee.
Misconception 5: Phone call plays "support hold music" — must be real.
Clarification: Audio is easy to fake. Still verify number and domain.
Principles
1) On hearing any red-line request, stop first, then verify via the official entry (manual URL or Ledger Live support) — don't act on the link/file they provide.
2) Don't read verification codes aloud, don't screen-share, don't pay a "test." If they keep pushing or pressure, end the call and record evidence.
3) Keep device security software on; updates from the official domain only. Reject unknown links, short links, and multi-hop redirects. If needed, re-log in on a trusted device rather than operating in the environment they specify.
Safety reminder: We will never ask for your recovery phrase, PIN, verification codes, or private keys. Anyone requesting them is attempting fraud — do not share and do not proceed.
